paolobarbolini/paolo565.org.conf

## paolo565.org.conf
# WARNING: This is the nginx configuration i use for https://www.paolo565.org
# You may have to do some tweaking to make it work for you
# Take a look at this post if you want to know more about my configuration
# https://www.paolo565.org/blog/creating-my-blog/

# How i generate my certificate using certbot
# certbot certonly --webroot -w /var/www/ssl-challenge/ -d paolo565.org,www.paolo565.org --must-staple

# Things i put inside the http block
# server_tokens off;
# ssl_session_tickets off;

resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

server {
    listen 80;
    listen [::]:80;

    server_name www.paolo565.org paolo565.org;

    # Let's encrypt support
    location ^~ /.well-known/ {
        alias /var/www/ssl-challenge/.well-known/;
        allow all;
        try_files $uri $uri/ =404;
    }

    # Redirect http://paolo565.org and http://www.paolo565.org to https://www.paolo565.org
    location / {
        return 301 https://www.paolo565.org$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name www.paolo565.org paolo565.org;

    ssl_certificate /etc/letsencrypt/live/paolo565.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/paolo565.org/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/paolo565.org/fullchain.pem;

    # This ssl configuration gets me an A+ on ssllabs.com

    # Generated with:
    # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    ssl_stapling on;
    ssl_stapling_verify on;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;

    root /var/www/www.paolo565.org/GIT_COMMIT_HASH_OF_LAST_DEPLOY/;

    # Redirect https://paolo565.org to https://www.paolo565.org
    if ($host = 'paolo565.org') {
        return 301 https://www.paolo565.org$request_uri;
    }

    access_log /var/log/nginx/paolo565.org.log;

    index index.html;

    error_page 404 /404.html;

    location / {
        try_files $uri $uri/ =404;
    }

    # Tell the browser that pages can be cached for up to 5 minutes
    location ~ \.html$ {
        expires 5m;
    }

    # Tell the browser that static assets can be cached up to 1 year
    # It's important to do cache busting when you update a file to make sure
    # every browser receives it
    location ~ \.(png|jpg|jpeg|svg|css|js)$ {
        expires 1y;
    }

    # When i deploy the site i generate the gzipped version of every page with
    # gzip SITE_FOLDER --keep -9 --recursive

    # so i don't need nginx to compress files on the fly
    gzip off;
    # If the cliend supports gzip serve: REQUESTED_FILE_NAME.gz
    gzip_static on;

    # Security headers
    # With these i get an A on securityheaders.io
    add_header Strict-Transport-Security "max-age=31536000" always;

    add_header X-Frame-Options "DENY" always;

    add_header X-Xss-Protection "1; mode=block" always;

    add_header X-Content-Type-Options "nosniff" always;

    add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; frame-src *;" always;

    add_header Referrer-Policy "no-referrer-when-downgrade" always;
}
	# WARNING: This is the nginx configuration i use for https://www.paolo565.org
	# You may have to do some tweaking to make it work for you
	# Take a look at this post if you want to know more about my configuration
	# https://www.paolo565.org/blog/creating-my-blog/

	# How i generate my certificate using certbot
	# certbot certonly --webroot -w /var/www/ssl-challenge/ -d paolo565.org,www.paolo565.org --must-staple

	# Things i put inside the http block
	# server_tokens off;
	# ssl_session_tickets off;

	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 30s;

	server {
	listen 80;
	listen [::]:80;

	server_name www.paolo565.org paolo565.org;

	# Let's encrypt support
	location ^~ /.well-known/ {
	alias /var/www/ssl-challenge/.well-known/;
	allow all;
	try_files $uri $uri/ =404;
	}

	# Redirect http://paolo565.org and http://www.paolo565.org to https://www.paolo565.org
	location / {
	return 301 https://www.paolo565.org$request_uri;
	}
	}

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name www.paolo565.org paolo565.org;

	ssl_certificate /etc/letsencrypt/live/paolo565.org/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/paolo565.org/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/paolo565.org/fullchain.pem;

	# This ssl configuration gets me an A+ on ssllabs.com

	# Generated with:
	# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;

	ssl_stapling on;
	ssl_stapling_verify on;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 1d;

	root /var/www/www.paolo565.org/GIT_COMMIT_HASH_OF_LAST_DEPLOY/;

	# Redirect https://paolo565.org to https://www.paolo565.org
	if ($host = 'paolo565.org') {
	return 301 https://www.paolo565.org$request_uri;
	}

	access_log /var/log/nginx/paolo565.org.log;

	index index.html;

	error_page 404 /404.html;

	location / {
	try_files $uri $uri/ =404;
	}

	# Tell the browser that pages can be cached for up to 5 minutes
	location ~ \.html$ {
	expires 5m;
	}

	# Tell the browser that static assets can be cached up to 1 year
	# It's important to do cache busting when you update a file to make sure
	# every browser receives it
	location ~ \.(png\|jpg\|jpeg\|svg\|css\|js)$ {
	expires 1y;
	}

	# When i deploy the site i generate the gzipped version of every page with
	# gzip SITE_FOLDER --keep -9 --recursive

	# so i don't need nginx to compress files on the fly
	gzip off;
	# If the cliend supports gzip serve: REQUESTED_FILE_NAME.gz
	gzip_static on;

	# Security headers
	# With these i get an A on securityheaders.io
	add_header Strict-Transport-Security "max-age=31536000" always;

	add_header X-Frame-Options "DENY" always;

	add_header X-Xss-Protection "1; mode=block" always;

	add_header X-Content-Type-Options "nosniff" always;

	add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; frame-src *;" always;

	add_header Referrer-Policy "no-referrer-when-downgrade" always;
	}